diff options
Diffstat (limited to 'src/lib/libtls/tls_verify.c')
| -rw-r--r-- | src/lib/libtls/tls_verify.c | 35 |
1 files changed, 18 insertions, 17 deletions
diff --git a/src/lib/libtls/tls_verify.c b/src/lib/libtls/tls_verify.c index 0252e20575..35a18202a9 100644 --- a/src/lib/libtls/tls_verify.c +++ b/src/lib/libtls/tls_verify.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls_verify.c,v 1.2 2014/12/07 15:00:32 bcook Exp $ */ | 1 | /* $OpenBSD: tls_verify.c,v 1.3 2014/12/07 15:48:02 bcook Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org> | 3 | * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org> |
| 4 | * | 4 | * |
| @@ -27,8 +27,8 @@ | |||
| 27 | #include "tls_internal.h" | 27 | #include "tls_internal.h" |
| 28 | 28 | ||
| 29 | int tls_match_hostname(const char *cert_hostname, const char *hostname); | 29 | int tls_match_hostname(const char *cert_hostname, const char *hostname); |
| 30 | int tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *host); | 30 | int tls_check_subject_altname(X509 *cert, const char *host); |
| 31 | int tls_check_common_name(struct tls *ctx, X509 *cert, const char *host); | 31 | int tls_check_common_name(X509 *cert, const char *host); |
| 32 | 32 | ||
| 33 | int | 33 | int |
| 34 | tls_match_hostname(const char *cert_hostname, const char *hostname) | 34 | tls_match_hostname(const char *cert_hostname, const char *hostname) |
| @@ -80,7 +80,7 @@ tls_match_hostname(const char *cert_hostname, const char *hostname) | |||
| 80 | } | 80 | } |
| 81 | 81 | ||
| 82 | int | 82 | int |
| 83 | tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *host) | 83 | tls_check_subject_altname(X509 *cert, const char *host) |
| 84 | { | 84 | { |
| 85 | STACK_OF(GENERAL_NAME) *altname_stack = NULL; | 85 | STACK_OF(GENERAL_NAME) *altname_stack = NULL; |
| 86 | union { struct in_addr ip4; struct in6_addr ip6; } addrbuf; | 86 | union { struct in_addr ip4; struct in6_addr ip6; } addrbuf; |
| @@ -123,11 +123,10 @@ tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *host) | |||
| 123 | 123 | ||
| 124 | if (ASN1_STRING_length(altname->d.dNSName) != | 124 | if (ASN1_STRING_length(altname->d.dNSName) != |
| 125 | (int)strlen(data)) { | 125 | (int)strlen(data)) { |
| 126 | tls_set_error(ctx, | 126 | fprintf(stdout, "%s: NUL byte in " |
| 127 | "error verifying host '%s': " | 127 | "subjectAltName, probably a " |
| 128 | "NUL byte in subjectAltName, " | 128 | "malicious certificate.\n", |
| 129 | "probably a malicious certificate", | 129 | getprogname()); |
| 130 | host); | ||
| 131 | rv = -2; | 130 | rv = -2; |
| 132 | break; | 131 | break; |
| 133 | } | 132 | } |
| @@ -136,7 +135,10 @@ tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *host) | |||
| 136 | rv = 0; | 135 | rv = 0; |
| 137 | break; | 136 | break; |
| 138 | } | 137 | } |
| 139 | } | 138 | } else |
| 139 | fprintf(stdout, "%s: unhandled subjectAltName " | ||
| 140 | "dNSName encoding (%d)\n", getprogname(), | ||
| 141 | format); | ||
| 140 | 142 | ||
| 141 | } else if (type == GEN_IPADD) { | 143 | } else if (type == GEN_IPADD) { |
| 142 | unsigned char *data; | 144 | unsigned char *data; |
| @@ -158,7 +160,7 @@ tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *host) | |||
| 158 | } | 160 | } |
| 159 | 161 | ||
| 160 | int | 162 | int |
| 161 | tls_check_common_name(struct tls *ctx, X509 *cert, const char *host) | 163 | tls_check_common_name(X509 *cert, const char *host) |
| 162 | { | 164 | { |
| 163 | X509_NAME *name; | 165 | X509_NAME *name; |
| 164 | char *common_name = NULL; | 166 | char *common_name = NULL; |
| @@ -184,9 +186,8 @@ tls_check_common_name(struct tls *ctx, X509 *cert, const char *host) | |||
| 184 | 186 | ||
| 185 | /* NUL bytes in CN? */ | 187 | /* NUL bytes in CN? */ |
| 186 | if (common_name_len != (int)strlen(common_name)) { | 188 | if (common_name_len != (int)strlen(common_name)) { |
| 187 | tls_set_error(ctx, "error verifying host '%s': " | 189 | fprintf(stdout, "%s: NUL byte in Common Name field, " |
| 188 | "NUL byte in Common Name field, " | 190 | "probably a malicious certificate.\n", getprogname()); |
| 189 | "probably a malicious certificate.", host); | ||
| 190 | rv = -2; | 191 | rv = -2; |
| 191 | goto out; | 192 | goto out; |
| 192 | } | 193 | } |
| @@ -212,13 +213,13 @@ out: | |||
| 212 | } | 213 | } |
| 213 | 214 | ||
| 214 | int | 215 | int |
| 215 | tls_check_hostname(struct tls *ctx, X509 *cert, const char *host) | 216 | tls_check_hostname(X509 *cert, const char *host) |
| 216 | { | 217 | { |
| 217 | int rv; | 218 | int rv; |
| 218 | 219 | ||
| 219 | rv = tls_check_subject_altname(ctx, cert, host); | 220 | rv = tls_check_subject_altname(cert, host); |
| 220 | if (rv == 0 || rv == -2) | 221 | if (rv == 0 || rv == -2) |
| 221 | return rv; | 222 | return rv; |
| 222 | 223 | ||
| 223 | return tls_check_common_name(ctx, cert, host); | 224 | return tls_check_common_name(cert, host); |
| 224 | } | 225 | } |